Athena Forensics - Computer Forensics NewsClick here to return to our News index
Dropbox - A Free Pass through the Firewall
Hundreds of millions of people rely on Dropbox and similar services to store, share, and update their files however a growing body of research shows how to use cloud storage synchronisation services to get around firewalls.
Dropbox and similar services have exploded in popularity in recent years because users find it so convenient to simply drag files to an icon that puts that data in the cloud, shares it with others, and automatically syncs new versions across multiple devices.
But ease of use and insecurity often go hand in hand, and now researchers are revealing an uncomfortable truth: if a computer with Dropbox functionality is compromised, the synching feature allows any malware installed by the attacker to reach other machines and networks using the service. Once you have Dropbox configured, anything you put into the synchronisation folder gets a free pass through the firewall, tests have been carried out on several services, and data was permitted through the firewall in each case.
This venerability is not only restricted to Dropbox but extends to SkyDrive, Google Drive, SugarSync, and Amazon Cloud Drive. It's similar to e-mail in the '90s, users wanted the service, but with it came spam, malware command and control, and malware distribution. We just don't have detection and security tools to cover Dropbox and similar services yet.
No one at Dropbox, would comment on the matter. The service has more than 175 million users.
The research on Dropbox and similar services adds to a litany of recent security concerns over storing data and doing computation on remote or "cloud" servers. While such services can be better than running everything yourself, security researchers keep finding new ways to attack them. It is likely that with the increasing use of cloud-based services, these kinds of attacks are going to reappear until the platforms mature. The attack described above is not in fact on Dropbox but rather in the people's use of Dropbox. Dropbox just facilitated a channel for [infected] documents through the corporate firewall - taking advantage of a well-put-together combination of existing exploits.
The exploit for Dropbox was discovered when an Computer security firm was asked to investigate the security of a corporate network. As a first step, unrelated to Dropbox, they obtained a personal e-mail address for the CIO and successfully carried out a "spear-phishing" attack when the CIO clicked on an attached file containing malware. When the CIO was away from the office with his laptop, they were able to get access to the computer - and found corporate documents in a Dropbox synchronisation folder.
This by itself wasn't Dropbox's fault; everything on the machine - passwords, family photos -as exposed. But the crucial next step involved using Dropbox and its synching powers to load a malware file that would then appear in folders inside the corporate network.
They wrote a malicious file called DropSmack and used it to infect a file already in the CIO's Dropbox folder. When the CIO next opened that file, the DropSmack tool then allowed malicious commands to be sent inside the corporate network via files synchronized by Dropbox - including commands that allowed files to be stolen. Later, the attack was then replicated with several other popular cloud-storage synching services.
While no attacks are known to have currently occurred this way, it is unlikely that someone, somewhere hasn't considered it and unfortunately this type of attack is nearly impossible to detect with current tools. Data loss prevention tools have a really hard time with Dropbox and the like. They really fail at protecting these services.